Skip to content

bug: KMS RotateKeyOnDemand now supports imported keys #12801

New issue
New issue
Open
#12806
Open
bug: KMS RotateKeyOnDemand now supports imported keys#12801
#12806
Labels
aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report
@willdefig

Description

@willdefig
willdefig
opened on Jun 25, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When calling the RotateKeyOnDemand in KMS, it did not support an imported key,

See https://aws.amazon.com/blogs/security/how-to-use-on-demand-rotation-for-aws-kms-imported-keys/
The new feature allows imported keys to be rotated, which should now accept a RotateKeyOnDemand request with the EXTERNAL, currently this gives an UnsupportedOperationException

Expected Behavior

This should now give a 200 OK on request of rotation

How are you starting LocalStack?

With the localstack script

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

docker run localstack/localstack

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

key_id = kms_create_key(Origin="EXTERNAL")["KeyId"]
aws_client.kms.rotate_key_on_demand(KeyId=key_id)

Environment

- OS: macOS 15.5
- LocalStack:
  LocalStack version: 4.5.1.dev55
  LocalStack Docker image sha:
  LocalStack build date: 2025-06-25
  LocalStack build git hash: 3d56935cb

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    aws:kmsAWS Key Management Servicestatus: backlogTriaged but not yet being worked ontype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions